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Abstract 


This document defines the use of cipher suites for TLS 1.3 based on Hashed Message 
Authentication Code (HMAC). Using these cipher suites provides server and, optionally, mutual 
authentication and data authenticity, but not data confidentiality. Cipher suites with these 
properties are not of general applicability, but there are use cases, specifically in Internet of 
Things (IoT) and constrained environments, that do not require confidentiality of exchanged 
messages while still requiring integrity protection, server authentication, and optional client 
authentication. This document gives examples of such use cases, with the caveat that prior to 
using these integrity-only cipher suites, a threat model for the situation at hand is needed, anda 
threat analysis must be performed within that model to determine whether the use of integrity- 
only cipher suites is appropriate. The approach described in this document is not endorsed by the 
IETF and does not have IETF consensus, but it is presented here to enable interoperable 
implementation of a reduced-security mechanism that provides authentication and message 
integrity without supporting confidentiality. 


Status of This Memo 


This document is not an Internet Standards Track specification; it is published for informational 
purposes. 


This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor 
has chosen to publish this document at its discretion and makes no statement about its value for 
implementation or deployment. Documents approved for publication by the RFC Editor are not 
candidates for any level of Internet Standard; see Section 2 of RFC 7841. 


Information about the current status of this document, any errata, and howto provide feedback 
on it may be obtained at https://www.rfc-editor.org/info/rfc9150. 


Cam-Winget & Visoky Informational Page 1 


RFC 9150 HMAC-Only Ciphers April 2022 


Copyright Notice 


Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights 
reserved. 


This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF 
Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this 
document. Please review these documents carefully, as they describe your rights and restrictions 
with respect to this document. 


Table of Contents 


. Introduction 

. Terminology 

. Applicability Statement 

. Cryptographic Negotiation Using Integrity-Only Cipher Suites 
. Record Payload Protection for Integrity-Only Cipher Suites 

. Key Schedule when Using Integrity-Only Cipher Suites 

. Error Alerts 


. IANA Considerations 


© Won Q0 a FPF wo N e 


. Security and Privacy Considerations 
10. References 
10.1. Normative References 


10.2. Informative References 


Acknowledgements 


Authors' Addresses 


1. Introduction 


There are several use cases in which communications privacy is not strictly needed, although 
authenticity of the communications transport is still very important. For example, within the 
industrial automation space, there could be TCP or UDP communications that commanda 
robotic arm to move a certain distance at a certain speed. Without authenticity guarantees, an 
attacker could modify the packets to change the movement of the robotic arm, potentially 
causing physical damage. However, the motion control commands are not always considered to 
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be sensitive information, and thus there is no requirement to provide confidentiality. Another 
Internet of Things (IoT) example with no strong requirement for confidentiality is the reporting 
of weather information; however, message authenticity is required to ensure integrity of the 
message. 


There is no requirement to encrypt messages in environments where the information is not 
confidential, such as when there is no intellectual property associated with the processes, or 
where the threat model does not indicate any outsider attacks (such as in a closed system). Note, 
however, that this situation will not apply equally to all use cases (for example, in one casea 
robotic arm might be used for a process that does not involve any intellectual property but in 
another case might be used in a different process that does contain intellectual property). 
Therefore, it is important that a user or system developer carefully examine both the sensitivity 
of the data and the system threat model to determine the need for encryption before deploying 
equipment and security protections. 


Besides having a strong need for authenticity and no need for confidentiality, many of these 
systems also have a strong requirement for low latency. Furthermore, several classes of IoT 
devices (industrial or otherwise) have limited processing capability. However, these IoT systems 
still gain great benefit from leveraging TLS 1.3 for secure communications. Given the reduced 
need for confidentiality, TLS 1.3 cipher suites [RFC8446] that maintain data integrity without 
confidentiality are described in this document. These cipher suites are not meant for general use, 
as they do not meet the confidentiality and privacy goals of TLS. They should only be used in 
cases where confidentiality and privacy are not a concern and there are constraints on using 
cipher suites that provide the full set of security properties. The approach described in this 
document is not endorsed by the IETF and does not have IETF consensus, but it is presented here 
to enable interoperable implementation of a reduced-security mechanism that provides 
authentication and message integrity with supporting confidentiality. 


2. Terminology 


This document adopts the conventions for normative language to provide clarity of instructions 
to the implementer. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this 
document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, 
they appear in all capitals, as shown here. 


3. Applicability Statement 


The two cipher suites defined in this document, which are based on Hashed Message 
Authentication Code (HMAC) SHAs [RFC6234], are intended for a small limited set of applications 
where confidentiality requirements are relaxed and the need to minimize the number of 
cryptographic algorithms is prioritized. This section describes some of those applicable use cases. 


Use cases in the industrial automation industry, while requiring data integrity, often do not 
require confidential communications. Mainly, data communicated to unmanned machines to 
execute repetitive tasks does not convey private information. For example, there could bea 
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system with a robotic arm that paints the body of a car. This equipment is used within a car 
manufacturing plant and is just one piece of equipment in a multi-step manufacturing process. 
The movements of this robotic arm are likely not a trade secret or sensitive intellectual property, 
although some portions of the manufacturing of the car might very well contain sensitive 
intellectual property. Even the mixture for the paint itself might be confidential, but the mixing is 
done by a completely different piece of equipment and therefore communication to/from that 
equipment can be encrypted without requiring the communication to/from the robotic arm to be 
encrypted. Modern manufacturing often has segmented equipment with different levels of risk 
related to intellectual property, although nearly every communication interaction has strong 
data authenticity requirements. 


Another use case that is closely related is that of fine-grained time updates. Motion systems often 
rely on time synchronization to ensure proper execution. Time updates are essentially public; 
there is no threat from an attacker knowing the time update information. This should make 
intuitive sense to those not familiar with these applications; rarely if ever does time information 
present a serious attack surface dealing with privacy. However, the authenticity is still quite 
important. The consequences of maliciously modified time data can vary from mere denial of 
service to actual physical damage, depending on the particular situation and attacker capability. 
As these time synchronization updates are very fine-grained, it is again important for latency to 
be very low. 


A third use case deals with data related to alarms. Industrial control sensing equipment can be 
configured to send alarm information when it meets certain conditions -- for example, 
temperature goes above or below a given threshold. Oftentimes, this data is used to detect certain 
out-of-tolerance conditions, allowing an operator or automated system to take corrective action. 
Once again, in many systems the reading of this data doesn't grant the attacker information that 
can be exploited; it is generally just information regarding the physical state of the system. At the 
same time, being able to modify this data would allow an attacker to either trigger alarms falsely 
or cover up evidence of an attack that might allow for detection of their malicious activity. 
Furthermore, sensors are often low-powered devices that might struggle to process encrypted and 
authenticated data. These sensors might be very cost sensitive such that there is not enough 
processing power for data encryption. Sending data that is just authenticated but not encrypted 
eases the burden placed on these devices yet still allows the data to be protected against any 
tampering threats. A user can always choose to pay more for a sensor with encryption capability, 
but for some, data authenticity will be sufficient. 
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A fourth use case considers the protection of commands in the railway industry. In railway 
control systems, no confidentiality requirements are applied for the command exchange 
between an interlocking controller and a railway equipment controller (for instance, a railway 
point controller of a tram track where the position of the controlled point is publicly available). 
However, protecting the integrity and authenticity of those commands is vital; otherwise, an 
adversary could change the target position of the point by modifying the commands, which 
consequently could lead to the derailment of a passing train. Furthermore, requirements for 
providing flight-data recording of the safety-related network traffic can only be fulfilled through 
using authenticity-only ciphers as, typically, the recording is used by a third party responsible for 
the analysis after an accident. The analysis requires such third party to extract the safety-related 
commands from the recording. 


The fifth use case deals with data related to civil aviation airplanes and ground communication. 
Pilots can send and receive messages to/from ground control, such as airplane route-of-flight 
updates, weather information, controller and pilot communication, and airline back-office 
communication. Similarly, the Air Traffic Control (ATC) service uses air-to-ground 
communication to receive the surveillance data that relies on (is dependent on) downlink reports 
from an airplane's avionics. This communication occurs automatically in accordance with 
contracts established between the ATC ground system and the airplane's avionics. Reports can be 
sent whenever specific events occur or specific time intervals are reached. In many systems, the 
reading of this data doesn't grant the attacker information that can be exploited; it is generally 
just information regarding the states of the airplane, controller pilot communication, 
meteorological information, etc. At the same time, being able to modify this data would allow an 
attacker to either put aircraft in the wrong flight trajectory or provide false information to 
ground control that might delay flights, damage property, or harm life. Sending data that is not 
encrypted but is authenticated allows the data to be protected against any tampering threats. 
Data authenticity is sufficient for the air traffic, weather, and surveillance information exchanges 
between airplanes and the ground systems. 


The above use cases describe the requirements where confidentiality is not needed and/or 
interferes with other requirements. Some of these use cases are based on devices that come witha 
small runtime memory footprint and reduced processing power; therefore, the need to minimize 
the number of cryptographic algorithms used is a priority. Despite this, it is noted that memory, 
performance, and processing power implications of any given algorithm or set of algorithms are 
highly dependent on hardware and software architecture. Therefore, although these cipher suites 
may provide performance benefits, they will not necessarily provide these benefits in all cases on 
all platforms. Furthermore, in some use cases, third-party inspection of data is specifically 
needed, which is also supported through the lack of confidentiality mechanisms. 


4. Cryptographic Negotiation Using Integrity-Only Cipher 
Suites 


The cryptographic negotiation as specified in [RFC8446], Section 4.1.1 remains the same, with the 
inclusion of the following cipher suites: 


TLS_SHA256_SHA256 {0xC0,0xB4} 
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TLS_SHA384_SHA384 {0xC0,0xB5} 


As defined in [RFC8446], TLS 1.3 cipher suites denote the Authenticated Encryption with 
Associated Data (AEAD) algorithm for record protection and the hash algorithm to use with the 
HMAC-based Key Derivation Function (HKDF). The cipher suites provided by this document are 
defined in a similar way, but they use the HMAC authentication tag to model the AEAD interface, 
as only an HMAC is provided for record protection (without encryption). These cipher suites 
allow the use of SHA-256 or SHA-384 as the HMAC for data integrity protection as well as its use 
for the HKDF. The authentication mechanisms remain unchanged with the intent to only update 
the cipher suites to relax the need for confidentiality. 


Given that these cipher suites do not support confidentiality, they MUST NOT be used with 
authentication and key exchange methods that rely on confidentiality. 


5. Record Payload Protection for Integrity-Only Cipher Suites 


Record payload protection as defined in [RFC8446] is retained in modified form when integrity- 
only cipher suites are used. Note that due to the purposeful use of hash algorithms, instead of 
AEAD algorithms, confidentiality protection of the record payload is not provided. This section 
describes the mapping of record payload structures when integrity-only cipher suites are 
employed. 


Given that there is no encryption to be done at the record layer, the operations "Protect" and 
"Unprotect" take the place of "AEAD-Encrypt" and "AEAD-Decrypt" [RFC8446], respectively. 


As integrity protection is provided over the full record, the encrypted_record in the TLSCiphertext 
along with the additional_data input to protected_data (termed AEADEncrypted data in 
[RFC8446]) as defined in Section 5.2 of [RFC8446] remain the same. The TLSCiphertext.length for 
the integrity cipher suites will be: 


TLS_SHA256_SHA256: 
TLSCiphertext.length = TLSInnerPlaintext_length + 32 


TLS_SHA384_SHA384: 
TLSCiphertext.length = TLSInnerPlaintext_length + 48 


Note that TLSInnerPlaintext_length is not defined as an explicit field in [RFC8446]; this refers to 
the length of the encoded TLSInnerPlaintext structure. 


The resulting protected_record is the concatenation of the TLSInnerPlaintext with the resulting 
HMAC. Note that this is analogous to the "encrypted_record" as defined in [RFC8446], although it is 
referred to as a "protected_record" because of the lack of confidentiality via encryption. With this 
mapping, the record validation order as defined in Section 5.2 of [RFC8446] remains the same. 
That is, the encrypted_record field of TLSCiphertext is set to: 


encrypted_record = TLS13-HMAC-Protected = TLSInnerPlaintext | | 
HMAC(write_key, nonce || additional_data || TLSInnerPlaintext) 


Cam-Winget & Visoky Informational Page 6 


RFC 9150 HMAC-Only Ciphers April 2022 


Here, "nonce" refers to the per-record nonce described in Section 5.3 of [RFC8446]. 


For DTLS 1.3, the DTLSCiphertext is set to: 


encrypted_record = DTLS13-HMAC-Protected = DTLSInnerPlaintext | | 
HMAC(write_key, nonce || additional_data || DTLSInnerPlaintext) 


The DTLS "nonce" refers to the per-record nonce described in Section 4.2.2 of [DTLS13]. 


The Protect and Unprotect operations provide the integrity protection using HMAC SHA-256 or 
HMAC SHA-384 as described in [RFC6234]. 


Due to the lack of encryption of the plaintext, record padding does not provide any obfuscation 
as to the plaintext size, although it can be optionally included. 


6. Key Schedule when Using Integrity-Only Cipher Suites 


The key derivation process for integrity-only cipher suites remains the same as that defined in 
[RFC8446]. The only difference is that the keys used to protect the tunnel apply to the negotiated 
HMAC SHA-256 or HMAC SHA-384 ciphers. Note that the traffic key material (client_write_key, 
client_write_iv, server_write_key, and server_write_iv) MUST be calculated as per [RFC8446], 
Section 7.3. The key lengths and Initialization Vectors (IVs) for these cipher suites are according to 
the hash output lengths. In other words, the following key lengths and IV lengths SHALL be: 


Cipher Suite Key Length IV Length 

TLS_SHA256_SHA256 32 Bytes 32 Bytes 

TLS_SHA384_SHA384 48 Bytes 48 Bytes 
Table 1 


7. Error Alerts 


The error alerts as defined by [RFC8446] remain the same; in particular: 


bad_record_mac: This alert can also occur for a record whose message authentication code 
cannot be validated. Since these cipher suites do not involve record encryption, this alert will 
only occur when the HMAC fails to verify. 


decrypt_error: This alert, as described in [RFC8446], Section 6.2, occurs when the signature or 
message authentication code cannot be validated. Note that this error is only sent during the 
handshake, not for an error in validating record HMACs. 


Cam-Winget & Visoky Informational Page 7 


RFC 9150 HMAC-Only Ciphers April 2022 


8. IANA Considerations 


IANA has registered the following cipher suites, defined by this document, in the "TLS Cipher 
Suites" registry: 


Value Description DTLS-OK Recommended 
OxC0,0xB4 TLS_SHA256_SHA256 Y N 
0xC0,0xB5 TLS_SHA384_SHA384 Y N 

Table 2 


9. Security and Privacy Considerations 


In general, except for confidentiality and privacy, the security considerations detailed in 
[RFC8446] and [RFC5246] apply to this document. Furthermore, as the cipher suites described in 
this document do not provide any confidentiality, it is important that they only be used in cases 
where there are no confidentiality or privacy requirements and concerns; the runtime memory 
requirements can accommodate support for authenticity-only cryptographic constructs. 


With the lack of data encryption specified in this specification, no confidentiality or privacy is 
provided for the data transported via the TLS session. That is, the record layer is not encrypted 
when using these cipher suites, nor is the handshake. To highlight the loss of privacy, the 
information carried in the TLS handshake, which includes both the server and client certificates, 
while integrity protected, will be sent unencrypted. Similarly, other TLS extensions that may be 
carried in the server's EncryptedExtensions message will only be integrity protected without 
provisions for confidentiality. Furthermore, with this lack of confidentiality, any private Pre- 
Shared Key (PSK) data MUST NOT be sent in the handshake while using these cipher suites. 
However, as PSKs may be loaded externally, these cipher suites can be used with the 0-RTT 
handshake defined in [RFC8446], with the same security implications discussed therein applied. 


Application protocols that build on TLS or DTLS for protection (e.g., HTTP) may have implicit 
assumptions of data confidentiality. Any assumption of data confidentiality is invalidated by the 
use of these cipher suites, as no data confidentiality is provided. This applies to any data sent over 
the application-data channel (e.g., bearer tokens in HTTP), as data requiring confidentiality MUST 
NOT be sent using these cipher suites. 
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Limits on key usage for AEAD-based ciphers are described in [RFC8446]. However, as the cipher 
suites discussed here are not AEAD, those same limits do not apply. The general security properties 
of HMACs discussed in [RFC2104] and [BCK1] apply. Additionally, security considerations on the 
algorithm's strength based on the HMAC key length and truncation length further described in 
[RFC4868] also apply. Until further cryptanalysis demonstrates limitations on key usage for 
HMACs, general practice for key usage recommends that implementations place limits on the 
lifetime of the HMAC keys and invoke a key update as described in [RFC8446] prior to reaching 
this limit. 


DTLS 1.3 defines a mechanism for encrypting the DTLS record sequence numbers. However, as 
these cipher suites do not utilize encryption, the record sequence numbers are sent unencrypted. 
That is, the procedure for DTLS record sequence number protection is to apply no protection for 
these cipher suites. 


Given the lack of confidentiality, these cipher suites MUST NOT be enabled by default. As these 
cipher suites are meant to serve the IoT market, it is important that any IoT endpoint that uses 
them be explicitly configured with a policy of non-confidential communications. 
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